Imagine you're a web advertiser.
Imagine you can open a popup window from a web page defeating any popup blocker.
Imagine this popup can invade the whole desktop, full screen.
Imagine this popup has no title bar, no menus, no toolbar, no location bar, no border and no buttons. No mean to close it.
Imagine user can't move or minimize this popup. It will go away only when the browser is killed or your show is done...

Now imagine you're a phisher.
Imagine you can use this almighty popup to draw anything you want. A fake browser or -- why not? -- a whole fake desktop to collect user's data.

If you're using Opera or a Gecko-based browser, a similar full screen evil can be performed with just a few JavaScript lines. No need to compile and host any applet, thanks to the LiveConnect technology.

I've notified Sun on 29-Jul-2007.
My bug report has been evaluated and publicly disclosed by Sun yesterday (06-Aug-2007) as a request for enhancement.

Update (08-Aug-2007):

Looks like responsibly filing a bug in the Sun's bug tracker, religiously waiting one week for its classification by Sun engineers and having it finally published by Sun itself as a non-security-related RFE is not enough to go public. I should have known that security reports should be submitted to security-alert at sun dot com to be properly handled. When Maarten Van Horenbeeck (SANS ISC) did it, Sun requested him to request me "to keep the issue confidential, and hold the blog post, till Sun has completely fixed it and is ready to issue a Sun Alert to warn users". At that time, my post had been already out for some hours, read and commented by many "hackers" supporting full disclosure. Therefore, I respectfully answered (directly to security-alert at sun dot com, with SANS in CC) explaining why retracting it would have been useless, but apologized for my mishandled report and offered any other help, including my promise to use security-alert at sun dot com instead of the regular bug tracker for future responsible disclosures. I received no answer yet, but in the meanwhile my bug report has been reclassified and made inaccessible. I still wonder why should I have known better than a Sun Bug Tracker employee what the proper channel for a security report was...

Credits

This entry was posted on Tuesday, August 7th, 2007 at 2:33 pm and is filed under Java, Mozilla, Security, NoScript. You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

"[...] Imagine this popup has no title bar, no menus, no toolbar, no location bar, no border and no buttons. No mean to close it.
Imagine user can’t move or minimize this popup. It will go away only when the browser is killed or your show is done… [...]"

Yes, a bug, but nothing as dramatic as you make it out to be. My menu bar remains visible, Exposé still functions, my browser's keyboard shortcuts (for back, close tab, close window...) still function. Plenty of options for a graceful recovery.

One thing I'll point out is that I can get the Task Manager to sit on top of it if I hit "Always On Top" and then it's easy to kill the applet. Also, this hack does depend on Java working correctly on people's machines. I've seen plenty of situations ( my computer included ) where an Applet doesn't work right because of competing VMs. Still, every impressive. Good job!

How about putting a timer in so that the applet goes away after a minute or 2, and tell everyone that they'll have control in 2 minutes etc...

Just a thought.

Great find -- thanks for sharing it with everyone -- I hope Sun gets off their asses soon. If I were in charge, I would send out an immediate patch that a child of an applet cannot create a window bigger than 600x480 -- and people who browse at that resolution deserve to be incapacitated.

In Opera 9.21, both of those methods can be closed by simply pressing ctrl+w.

Additionally in both methods, the task bar and start menu never disappear, so you can also just right-click on your browser and close it.

I mean, I agree that all browsers should come equipped with a no-script equivalent that is turned on by default, but this isn't really a problem for Opera users who are technically-saavy (and I think all 7 of us probably are).

I think on Linux I'd be OK as the window manager on Linux allows me to be a bit more forceful with windows.
I like NoScript though, if only to reduce bandwidth and processor usage when it doesn't help me at all.

regarding my earlier timer request -- I did not try clicking on the page (there was no text visible on FF2.0.0.6 on FC6). I then tried it on OSX and saw the text -- but also saw the dock, etc as others are reporting

Funny. I didn't have any problems.
WinXP Pro with Firefox 2.0.0.5 and a few tweaks, but Java and Javascript are enabled.
I middle clicked on the link for the supposed "hack" and it opened in a new tab.
Browser locked up for maybe 30 seconds and then everything was fine.
No full screen anything.

There are many good replies but some of you say that there are easy fixes that even the security researcher should have known. No fix is easy unless it can be widely taught. Most of the key-combos that will kill this thing are unknown to a vast majority of IE users. Those of us who are informed are probably already on something besides IE and know at least one of the keystroke shortcuts to killing this bug or have already downloaded no-script.
All of us who know a thing or two should also help our uneducated friends and family. I am already sending an e-mail to my 67 year old mom to tell her some of the ways to kill this thing. She works at home and must use IE for the software to work.

Funny. I tried this in Opera and Safari 3 on a Mac. Safari3, neither link did anything. Opera, both links opened a full screen "PWNED" page, but the Dock and top bar were still visible. Gets even better, Opera crashed and had to be Force Quit.

The first link in FireFox (the applet one) can easily be closed with CMD+W. The second one doesn't open.

Ah.. double comment post! :P But I just read "AAAA's" post and had to comment.

"Immagine a “security researcher” so retarded he does not know you can close a window with ALT-F4.
Security researcher my hairy ass."

Question isn't whether the Security Researcher knows this, but how many end-users know that ALT+F4 will close a window. Many just know "X in corner means close" or "In Menu Bar on Mac click Applications Name then Quit". Plus, with what I've seen with Opera on Mac, I'm not sure if ALT+F4 would close the window. Opera just kinda locked up.

Everyone talks about just closing the screen and how this is not a big deal. Issue is what if the app is not taking the full screen, but simply sizes itself over your normal web content inside the window. You think you are just using your web browser, but meanwhile another application has control of what you see and what you are interacting with.

Since sun has "hidden" the bug report I'm not sure about the details of this exploit. I think the big question would be whether or not the normal Applet sandbox limitations are circumvented. If you can open socket connections to anywhere at the same time that you can display whatever you want, things get really interesting.

I noticed that if you are behind the proxy with authentication the java applet will ask for your credentials. If you do not enter them that demo does not work.
The Java Applet cannot reuse the credentials of the browser it seems.

I'm using a Mac (as I have done for 20-odd years), and I just instinctively hit Command-W to "close window" (which closes finder windows, browser tabs (or the browser window if it's the last tab visible). Command-Left Arrow takes you back to the previous page (thus closing it too) just like normal as well.

As other users have said, on the Mac, the tool bar and Dock remain visible while this window is open. You can equally use File-Close Window (or close tab) or open another page (which makes it go away).

Annoying for most Firefox and IE users on Windows, but this has been possible for over 10 years with IE and JavaScript to size and position windows slightly larger than the screen, and slightly off screen.

Yes, you can just AltTab out of it, close it with AltF4, or any of the other numerous ways.

Now, imagine for a moment that people out there don't know everything about their computer. Those "other" people. You've seen them in the wild, they exist.

Suddenly your whole screen disappears (yes, some OSes keep the menu bar/start bar/[other] bar available, but most unknowing people use Windows and don't change any settings). All you can do is sit through the entire ad, or not realize you're not looking at your real desktop. Some people don't know what to expect. So when their desktop looks slightly different, and it shows Windows asking for a serial key, or their SSN, what do you think they will do?

With Konqueror, it at least shows "Java Applet Window" at the top, so I'm clued in this is not the real thing. Still, no means of closing except Strg+Alt+Esc and use xkill to shoot the bugger. The browser survives this, btw, only the Java VM is killed. KDE/X11 rules!

in response to the person who said, just use Alt-f4. ALT-F4, ctrl-shift-w, ctrl-w, (last two are firefox controls) all did not work to close the applet if Java was enabled in my browser. This is on a fairly secured machine. Win XP patched yesterday, firefox 2.0.0.6. I had to use ctrl-alt-delete to get any form of control back on the primary display, and even then my only recourse was killing firefox.

I had multiple monitors so I was no completely shut down, but as others have said this could be really nasty. I saw this used once before but luckily it was just an coding error and not an exploit attempt that time. Still a very nice find. Good work!

Actually, it doesn't work for me (Mac Mini, OS/X 10.4.10, under Firefox 2.0.0.6 (at least.) The Pure Java(tm) version throws a method not found exception, the javascript version just opens a regular tab.

I was able to use alt-tab and the taskbar remained visible, but i can easily imagine my mother being totally confused andf tricked into entering anything on a "fake desktop" that doesnt even remotely look like hers.
win XP, ff 2.0.0.6

@All Mac OS X users:
The different behavior reported by many of you is not surprising, since the Java Virtual Machine deployed by Apple is a different, albeit compatible, implementation of Sun's Java specification developed by Apple itself.
Also, window size and availability of an easy closing method may vary with the window manager in use, and reading your reports looks like OS X has a nice one, nicer than Win XP's at least (see Zack's post).

This is not a bug, it is the intended behavior that java applets have. Yes it can be used for nefarious purposes, but it's been around for so long you think someone would've exploited it by now if they were gunna. Any advertiser that tries to use this will instantly be universally hated and exposed. The greater threat is from phishers, but phishers can fool people with emails anyways so is this really that big of a deal?

OK, I happen to use Windows95 with Mozilla 1.7.13, partly because I haven't found much out there that targets this combination. Note I know if I switched to Linux my system might also not be targeted much NOW, but what about the future as Linux market share grows? Remember, Win95 did NOT come with IE built into it. It simply has fewer features than can be misused, than later versions of Windows, and likely has fewer features than recent versions of Linux --and the market share of Win95 has been declining ever since Win98, so no reason for it to become a deliberate target.

Anyway, as evidence supporting the non-targeting of this system, I clicked on your "Applet based, works in any browser" link, and no, it didn't work. It did crash the browser with a "this program has performed an illegal operation" error. But since restarting the browser is easier than being phished or otherwise scammed, I can accept that. So I returned to this page and clicked on the "JavaScript based, works in Opera and Gecko-based browsers" link, for which Mozilla qualifies, I THOUGHT. Well, normally when I click on a link I right-click and select the "open in new tab" option. I am certain that JavaScripted is enabled. But this Web page did not get covered by a popup. I clicked on the tab and that page also looked ordinary, not covered by a popup. I tried clicking on the JavaScript demo more than once. Eventually the browser crashed again, but I never saw a popup.

No problem here with a Mac running the Safari Beta. The Java worked fine but I was able to get rid of the window via the close window in the file menu. I could have used a keyboar shortcut as well. Since I am running Safari Stand that adds extra functions to Safari such as a sidebar the Java did not touch what Safari Stand handles. Being a windows user as well I can see what havoc this could cause on a PC! Another good reason to surf the web with a Mac.

[...] the NoScript Firefox extension has highlighted a “mis-feature” in Java that allows an uncloseable, full-screen applet with no window decorations to be opened. There is a proof of concept applet available, but for the love of god don’t [...]

This is yet another reason I always surf with javascript disabled. Allowing pages to run full fledged programs at a whim, in one's browser, is a hugely stupid security risk, IMO. At LEAST require a "click to activate" warning page...

Interesting applet. However, when it goes full screen, my taskbar (Debian/Etch/KDE/Iceweasel) is still on top of the applet and I can drag the applet from one virtual desktop to another with it. Oh, and Alt-Left mouse button can still drag it around on the screen too. I suppose it could be a problem if you're not paying attention.

Corporate executives especially in marketing are foaming at the mouth of this one, force you to watch their advertisement. I work at a off-site location and they set your browser where you cannot adjust the security settings and you are required to use IE. The security settings are set to "lax". The corporate mgt basically tell you that Internet is a privilege and you are told that if you block pop-ups, you are considered a thief and it is not tolerated. You are not allowed to close the pop-up until you leave the site.

[...] blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole [...]

I think that on Linux and X the simplest solution is to Ctl-Alt-Fn to another console, login, kill -9 the offending process, then Ctl-Alt-Fn back to the desktop. I don't think it's possible for any GUI app to stop that.

Of course, being the curious lad I am I immediately clicked the link to the test. It worked, and my entire 23 tabs of browser were hidden... forever? Determined not to shut down my browser I leapt into action - spamming the "preferences" hotkey at lightning speed with one hand while clicking furiously on where the "Enable Java" checkbox was.

The bug was no match for my click-fu and the black screen disappeared as soon as I cut off its evil power. Take that, random superbugs!

This may be "no big deal" to some of you who are more technically adept at pressing keyboard shortcuts that are not generally known by the public. This could happen to your child, he'd be sitting there surfing sites and then suddenly he's staring at a full screen of Britney's behind and he doesn't see any way of closing the window... Worse is if were Lindsay's...

So where is this Evil popup ???
i'm using Avant brouwser (kind of onion holder for IE 6.x)
And I dont got any problems here with any links on this page (closing is no problem, nor do they do get in the way).
Apperently my own popups works better then the one posted here ? (or is it not here)

Always interesting to see how self-centered geeks can be, completely ignoring that there is a world out there with people that don't know each and every shortcut by heart, with ppl that can get easily tricked by some fake windows.

This problem is definitely a major issue and needs to get addressed as soon as possible.

On Windows Vista with latest version of Firefox, both full screen windows can be minimized and Firefox works exactly as well as before, no blocking at all.
So I'll label this as a cool feature rather than as a security issue.

Another interesting extension for Firefox is "Controle de Scripts". With it, you can enable/disable certain scripts, like resizing windows, removing toolbar/buttons/etc, switching images and many more.
Works great with NoScript.

Here are my steps to stopping the annoyance in WindowsXP Firefox 2.0.0.6:

The first demo, I used ctrl-F4 sequence. (kills firefox browser application)

The second demo, I hit the Window key (The one next to the Alt-key) to bring up the taskbar then right click on the firefox app (title task at the bottom) to select close option. (kills firefox browser application)...

I usually don't use IE, but tried IE7 in Vista to see your demo. As I use Firefox and No-Scripts it is not a problem for me, but scary that a malicious site could reduce an average user to killing their browser.

[...] Pure Java?, Pure Evil? Popups - Nasty, very nasty little bug in Java. I’ve not seen this being abused in the wild yet, but I don’t think it’ll be long before it is. Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages. [...]